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SECURITY SYSTEM 

TECHNICAL FIELD OF THE INVENTION 

This invention relates to computer systems, and in 
particular to the improvement of security in such 
systems. More specifically, the invention relates to a 
method for improving the security of communications, 
for example over a computer network, although it is 
also applicable to increasing the security of a 
computer system. 
BACKGROUND OF THE INVENTION 

US - 5 , 68 9, 565 describes a cryptography system 
architecture for a computer, which provides 
cryptographic functionality to support an application 
which requires cryptography. The cryptography system 
has a cryptographic application program interface 
(CAPI) which interfaces with the application to receive 
requests "for cryptographic functions. The system 
further includes at least one cryptographic service 
provider (CSP) that is independent from, but 
dynamically accessible by, the CAPI. The CSP Drovides 
the cryptographic functionality and manages the secret 
cryptographic keys . 

This system architecture is used in many 
applications in which data may desirably be transferred 
across unsecured computer networks such as the 
internet. For example, this architecture can be used 
in applications such as email clients, web browsers, 
etc. A similar architecture can be used for access 
control within a computer system, and for hard disc 
encryption . 

US-6,038,551 describes a development of the 
architecture disclosed in US- 5 , 689 , 565 , in which the 
computer includes a card reader, and an integrated 
circuit card (IC card) stores the cryptographic keys 
used by the CSP in the computer, and can perform 
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is taken to specify the presence of stated features, 
integers, steps or components but does not preclude the 
presence or addition of one or more other features, 
integers, steps, components or groups thereof. 
BRIEF DESCRIPTION OF DRAWINGS 

Figure 1 is a block schematic diagram of a first 
system implementing the present invention. 

Figure 2 is a flow chart showing the operation of 
the system of Figure 1. 

Figure 3 is a flow chart showing in more detail a 
part of the operation illustrated in Figure 2. 

Figure 4 is a block schematic diagram of a second 
system implementing the present invention. 

Figure 5 is a block schematic diagram of a third 
system implementing the present invention. 

Figure 6 is a flow chart showing the operation of 
the system of Figure 5. 

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS 

Figure 1 is a block schematic diagram of a 
computer system, including a personal . computer (PC) 10, 
only the relevant components of which are shown . It 
will be apparent that, in this embodiment of the 
invention, and in the other illustrated embodiments, 
any computer system can be used in exactly, the same way 

as the PC 10. 

The computer has a connection to an external 
network 12, for example through a modem (not shown). 
Of particular concern here is the situation where the 
computer 10 is connected to an unsecured network, such 
as the internet. 

The computer 10 has various software applications 
which require external communication, such as an email 
application 14, and a web browser 16, which use Secure 
Socket Layer (SSL) and/or Transport Layer Security 
(TLS) security. In many cases, the information which 
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Transport Layer Security (WTLS) can be used. This 
provides confidentiality for users, by encrypting 
messages which are transmitted over the wireless 
interface, and also provides authentication, by means 
of digital certificates. 

In order to provide this WTLS functionality, the 
WAP-enabled device 30 includes a cryptographic module, 
which uses an embedded public key and private key on 
handshake for authentication, then generates symmetric 
session keys, which are used to encode messages before 
transmission and to decode received messages. 

For example, the phone 3 0 may also include a 
Subscriber Identity Module - Wireless Identity Module 
(SIM-WIM) card 32, which is used to identify the 
subscriber, and can contain the cryptographic module. 
Alternatively, the cryptographic module can be realised 
in hardware or in software 34 in the phone 30, or may 
be provided on an external smart card. In order to 
access the cryptographic module, the MS 3 0 includes a 
security manager module 38. The operation of these 
devices will be explained further below. 

In accordance with preferred embodiments of the 
present invention, the cryptographic module of the 
phone, and other features which are used to provide 
secure communication using the Wireless Application 
Protocol, also allow the phone 30 to be provide some or 
all of the functionality of a cryptography service 
provider . 

In the case where che cryptographic module is 
embodied in hardware, the necessary information is 
provided on an integrated circuit in the device. 

-Where the Wireless Public Key Infrastructure 
(WPKI) is used to distribute the parameters for WTLS, 
it can also be used to distribute the parameters 
required' for use as a cryptography service provider. 
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provider and the MS are possible. 

pigure 2 is a flow chart showing a method by which 
the PC 10 can use the cryptographic functionality in 

the mobile phone 30. 

T be procedure starts with step 100, in which the 
application in the PC 10, such as the email application 

or web browser 16 determines that cryptographic 
"functionality is required, and sends a command to the 
CAPI 13 The cryptographic functionality which is 
™u*«d may for example be encryption, decryption, 
;; sh generation, message signing, verification, key 
generation, certificate management, or random number 
generation. Other types of cryptographic functionary 
which may be provided are described in the PKCS#11 
standard mentioned above. 

in step 102, the CAPI selects an appropriate CS. 

v,,, funr-t-ion T n this case, 
to provide the cryptography function. 

. i- ooo* which can access the 

the CAPI selects che CSP* 26, wnica <_o . 

cryptographic module in the MS 30 . 

in steo 104, the CAPI 18 establishes communication 
with che selected CSP* 26, and the CSP* 26 
communications with the MS 30. As discussed above, the 
communications between the PC 10 and MS 30 can 
~ advantageously be over a Bluetooth short range. radio 

' link 'ln step 106, the operating system (CS) 20 verifies 

the authenticity of the CSP*. It will, be noted that 
this step may be unnecessary if the authenticity of the 
CSP* has already been established as part, of an earlier 
process. As an alternative, this step can be carried 
out earlier in the process, and other changes in the 
order of the illustrated steps are also possible. 

in step 108, a message is passed from the CAPI 18 
via the CSP* 26 to the MS 30, with details of the 

l5 cryptographic operation which is requirec. 
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comrnunicat ion , with the hard disc 52. Since the 
information which is stored on the hard disc mav be 
confidential, the application restricts access thereto, 
so that only authorised persons can gain access to it. 

As is conventional, therefore, the hard disc 
application 50 can call a cryptographic application 
program interface (CAP!) 18, which is provided on top 
of the operating system (OS) 20. 

As is also conventional, the cryptographic 
application program interface ( CAP I } 13 can access one 
or more cryptography service providers (CS?s) 22, 24. 

Different cryptography service providers (CSPs) 
may, for example, use different cryptographic 
algorithms, and may "be used for different purposes. 

In accordance, with the present invention, as 
described in more detail with reference to Figures 1-3, 
seme or all of the functionality of a cryptography 
service provider is available on a separate device, 
namely a mobile station (MS) 30, and the CSP* 26 can 
call the required functionality from the MS 30.- 

The mobile station may be exactly as described 
with reference to Figures 1 and 3 above. 

Figure 5 shows a further alternative system in 
accordance, with the invention. 

Again, the computer system is described with 
reference to a personal computer (PC) 60, but it will 
be apparent that any computer system can be used in 
exactly the same way as the PC 60. 

The computer has a connection to an external 
network 12, for example through a modem (not shown) to 
an unsecured network, such as the internet. 

The computer 60 has various software applications 
which require external communication, such as an email 
application 14, and a web browser 16, which use Secure 
Socket Layer (SSL) and/or Transport Layer Security 
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the Bluetooth .short-range radio transmission protocol, 
although an infrared connection is also possible. The 
protocol for the connection can for example be based on 
AT commands, and provides security for those 
communications. The command set is advantageously a 
version of the command set defined in a standard such 
as PKCSSli, described in the document "PKCS#I1 v2.10: 
Cryptographic Token Interface Standard", published by 
RSA Security Inc. and incorporated herein by reference, 
where the commands are redefined as AT commands. 

Figure 6 is a flow chart showing a method by which 
the PC 60 can use the cryptographic functionality in 
the mobile phone 30. 

The procedure starts with step 160, in which the 
application in the PC 60, such as the email application 
14 or web browser 16 determines that cryptographic 
functionality is required, and sends a command to the 
PKCStfll interface 70. The cryptographic functionality 
which is required may for example be encryption, 
decryption, hash generation, message signing, 
verification, key generation, certificate management or 
random number generation. 

In step 162, the PKCSSll interface 70: selects an 
appropriate CT to provide the cryptography-function. 
In this case, the PKCSftll interface 70 selects the CT* 
76, which can access the cryptographic module in the MS 
30. 

In step 164, the PKCSSll interface 70 establishes 
communication between the application and the selected 
CT* 76, and the CT* 76 establishes communications with 
the MS 30. As discussed above, the communications 
between the PC 60 and MS 3 0 can advantageously be over 
a Bluetooth short range radio link. 

In step 166, a message is passed from the PKCSttll 
interface 70 to the MS 30, calling the cryptographic 
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CLAIMS 

1. A method of encrypting communications from a 
computer having an application program interface, the 
method comprising using a mobile communications device, 
which includes a cryptographic module for use in- mobile 
communication, as a cryptographic service provider. 

2. A method as claimed in claim 1, wherein the 
mobile communications device is a WAP -enabled device. 

3. A method as claimed in claim 1 or 2 , wherein 
the cryptographic module is that used by the mobile 
communications device for Wireless Transport haver 
Security communications . 

4. . A method as claimed in claim 1, 2 or 3 , 
comprising providing" a wired connection between txhe 
mobile communications device and the computer. 

5. A method as claimed in claim 1, 2 or 3 , 
comprising providing a wireless connection between the 
mobile communications device and the computer. 

6. A method as claimed in any of claims 1 to 5 , 
comprising: 

when the application program interface requires 
cryptographic functionality, calling a cryptographic 
service, provider function in the mobile communications 
device. . 

7. A mobile communications device, comprising a — 
cryptographic module, the cryptographic module being 
usable : 

(a) for encoding wireless communications from the 
device ; 

(b) in a cryptographic service provider with an 
application program interface of a remote computer. 

8. A mobile communications device as claimed in 
claim 7, having a short-range wireless communications 
transceiver, for sending signals to and receiving 
signals from the remote comDuter. 
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to said command. 

19 a module for a personal computer, wherein, 
in response to the module receiving a first command 
from a cryptographic application program interface, 
indicating that it requires cryptographic 
functionality, the module sends a second command to a 
mobile communication device, such that the mobile 
communications device acts as a cryptographic service 
provider for said personal computer. 

20 A method of encrypting computer 
communications, the method comprising using a separate 
mobile communications device, which includes a 
cryptographic module for use in mobile communication , 
as a cryptographic service provider. 

21 . A method as claimed in claim 20, wherein the 

j • ^= i= a waD-enabled device, 
mobile communications device is a WA- enaci . 

22 A method as claimed in claim 20 or 21, 
wherein the cryptographic module is that used by the 
mobile communications device for wireless Transport 
Laver Security communications. 

23 A method as claimed in claim 20, 21 or 22, 
comprising providing a wireless connection between the 
mobile communications device and the computer. 

24. A computer system, comprising: - 

a comouter; and 

a mobile communications device, including a 

crvDtograohic module, 

, . ,l lB „f o^e application whicn 
the computer having at least o..e w 

requires cryptographic functionality, 

a first part of the required cryptographic, 
functionality being provided in the computer, and a 
second oart of the required cryptographic functionality 
being provided in the mobile communications device, 

the computer and the mobile communications device 
having means for establishing a secure communications 
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device . 

32. A method as claimed in claim 28, comprising 
using a cryptographic module realised in hardware in 
the mobile communications device . 

33. A method as claimed in claim 28, comprising 
using a cryptographic module realised in software in 
the mobile communications device. 

34. A method as claimed in claim 23, comprising 
using a cryptographic module provided on an external 
smart card which can be read by the mobile 
communications device . 

35. A method as claimed in claim 28, comprising 
using a cryptographic module a Wireless Identity Module 
(WIM) card in said mobile communications device. 

36. . A computer system for supporting an 
application, the computer system comprising: 

a cryptographic application program interface; and 

a cryptography service provider, 

wherein, when the cryptographic application 
program interface determines that the application 
requires cryptographic functionality, sends a command 
to the cryptography service provider, and 

wherein the cryptography service provider has a 
communications' link to a cryptographic module of a 
mobile communications device, the cryptographic module 
of the mobile communications device being usable to 
encrypt communications between the mobile 
communications device and a telecommunications network 
over a wireless interface, and 

wherein the cryptography service provider can 
obtain the' cryptographic functionality, required by the 
application, from the cryptographic module of the 
mobile communications device. 

37.. A system as claimed in claim 36, wherein the 
cryptographic module is realised in hardware in the 
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rnobile communications device further comprising a 
security manager module for receiving commands from a 
computer system over a second interface, wherein, in 
response to suitable commands received from the 
comouter system over the second interface, the security 
manager module requests a cryptographic function from 
the cryptographic module, and returns the results of 
the cryptographic function to the computer system over 
the second interface . 

45. A mobile communications device as claimed in 
claim 44, wherein the security manager module responds 
to a command set defined in a standard PKCS#11, where 
the commands are redefined as AT commands. 

46. A mobile communications device as claimed 
in claim 44, wherein the second interface is a 
3luetooth short-range radio interface. 

47. A module for a computer system, the module 
comprising: 

an application interface for connection to a 
computer application; and 

an external interface for connection to a mobile 
communication device containing a cryptographic module; 

wherein, when the module receives from the 
application interface a request for a cryptographic 
function which the module is unable to provide, the 
module sends a command over the external interface to 
the mobile communications device to request the 
cryptographic function therefrom. 

43. A module for a computer system as claimed in 
claim 47, wherein the module has some cryptographic 
functionality, and comprises means for determining in 
response to a request from the application interface 
whether it is able to provide the requested function 
cryptographic function. 

49. A module for a computer system as claimed in 
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